AWS Certified Developer – Associate (DVA-C02) — Question 380

A company hosts its application in the us-west-1 Region. The company wants to add redundancy in the us-east-1 Region.

The application secrets are stored in AWS Secrets Manager in us-west-1. A developer needs to replicate the secrets to us-east-1.

Which solution will meet this requirement?

Answer options

• A. Configure secret replication for each secret. Add us-east-1 as a replication Region. Choose an AWS Key Management Service (AWS KMS) key in us-east-1 to encrypt the replicated secrets.
• B. Create a new secret in us-east-1 for each secret. Configure secret replication in us-east-1. Set the source to be the corresponding secret in us-west-1. Choose an AWS Key Management Service (AWS KMS) key in us-west-1 to encrypt the replicated secrets.
• C. Create a replication rule for each secret. Set us-east-1 as the destination Region. Configure the rule to run during secret rotation. Choose an AWS Key Management Service (AWS KMS) key in us-east-1 to encrypt the replicated secrets.
• D. Create a Secrets Manager lifecycle rule to replicate each secret to a new Amazon S3 bucket in us-west-1. Configure an S3 replication rule to replicate the secrets to us-east-1.

Correct answer: A

Explanation

AWS Secrets Manager features built-in multi-Region replication, which allows you to easily replicate secrets by configuring the primary secret to target a replica Region (us-east-1) and selecting a KMS key in that destination Region for encryption. Options B and C introduce unnecessary complexity or incorrect KMS key configurations, while Option D proposes an insecure and complex workaround using Amazon S3 instead of the native replication capability.